The interesting thing about cyberspace, unlike any other domain, is that the brains are really the weapon, to a large degree. It's the person and what they know and what they're capable of doing. The intention matters a lot.
I think red teaming and penetration testing—my preferred term is “penetration testing”—are absolutely vital for the development of your security strategy. If you've implemented the best capabilities in the world, if you have the new new security stack, if you've spent and been very smart about it, you always want to have someone who's trying to break in to your network, constantly testing it, looking for vulnerabilities, and thinking like an adversary trying to find their way in.
I won't weigh in on specific recommendations for legislation. It's very complicated, and there is international legislation under way through the Wassenaar agreements and the Wassenaar accords, which you—